Creating and Exporting an Institutional Recovery Key without the Private Key

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

Requirements

You need an administrator computer with macOS 10.11 or later to create and export an institutional recovery key.

  1. On an administrator computer, open Terminal and execute the following command:

    sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain

  2. When prompted, enter a password for the new keychain.
  3. A keychain (FileVaultMaster.keychain) is created in the following location:

    /Library/Keychains/

  4. Unlock the keychain by opening Terminal and executing the following command:

    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

  5. Open Keychain Access.
  6. From the menu bar, choose "Add Keychain" from the File pop-up menu. Then, add the FileVaultMaster.keychain file located in /Library/Keychains/.
  7. Select FileVaultMaster under the Keychains heading in the sidebar, and then select "All Items" under the Category heading.
  8. Select the certificate.

    A macOS Keychain Access window with "FileVault Master Password Key" highlighted

    Important:

    Do not select the private key associated with the certificate.

  9. From the menu bar, choose "Export Items" from the File pop-up menu. Then, save the recovery key as a .pem file or .cer file.

    You will need to upload this file to Jamf Pro when creating the disk encryption configuration.

  10. Quit Keychain Access.
  11. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time.
The Recovery Key is saved as a .cer file or a .pem file in the location you specified.